3

Before going live with my website, i made some thoughts about security:

This question is about understanding the Processing in PHP and not strives for a solution in securing the form.

Consider this barebone script which is completely insecure against xss and sql injections if provided.

<?
if ($_POST['submit']=="1"){

    $input = $_POST['input'];
    echo "echo the input: ".$input."<br/>";
}
?>
<form action="<? $PHP_SELF;?>" method="POST">
<input type="text" name="input" value="<? echo $_POST['input'];?>"/>
<input type="hidden" name="submit" value="1"/>
<input type="submit" value="submit"/>
</form>

i am wondering why such an injection like this does not work (in the field input):

";unset('index.php');

i am naively thinking the "; would end the echo and than proceed with the code. Actually i am very happy this does not work but i would like to know why. In SQL kind of this would actuall work ' OR 1'.

i know to secure this with addslashes or htmlspecialchars but this is not the question. I want to gain an inside of how php works in processing this.

thanks

Improve this question
1
  • Regarding your own aside: Be careful with any string_munging functions such as addslashes(), mysql_real_escape_string() and htmlspecialchars() they only give you the protection you desire in select places and under certain circumstances. See stackoverflow.com/questions/110575/… Commented Jan 9, 2012 at 9:55

2 Answers 2

Reset to default
1

The content of $_POST array elements are strings. So, whenever you submit ";unset('index.php');" (btw, doesn't unset work on variables?) you actually send that as a string, not as PHP executable code.

Unless you're using eval(), you don't need to fear about php code being evaluated.

Another thing, don't use addslashes() to secure queries, but use your library's dedicated function, such as mysql_real_escape_string() for mysql. Or better use query bindings with prepared statements and parametrized queries.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

hi. yes but against xss wouldn't i use htmlspecialchars? or is that obsolet if i use POST instead of GET? <script>alert('hi');</script>
No, htmlspecialchars() or htmlentities() are indeed what you use against XSS (both for $_POST and $_GET and $_COOKIE. For everything, actually). I was talking about securing DB queries, I thought you referred to that when talking about addslashes()
i mark this as answer cause it explains more the reasons. thx 2 kolink too .
i was going to do that :P Damien if we are only using echo is it still dangerous ? or its wodul be only dangerous if we use eval ?
1

It would work if you put it through eval(), but otherwise it's just a string like any other.

Improve this answer

2 Comments

so you mean if i write in the processing the eval() or if someone injects with eval ";eval(unset('index.php')); . i guess the first, which pleases me cause i never used eval before.
@Email NO, if you send eval(unset($var)) you are STILL sending a string , a literal string. Eval() has to evaluate the string provided in order to make it a php executable code; if there's no eval() in your code, you're safe against that problem

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.